CVE-2026-4698
Published: 24 March 2026
Description
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the JIT miscompilation flaw in Firefox and Thunderbird JavaScript Engine as fixed in versions like Firefox 149.
Supports detection of systems running vulnerable pre-patch versions of Firefox and Thunderbird through regular vulnerability scanning.
Ensures receipt and response to Mozilla advisories like MFSA2026-20 detailing the CVE-2026-4698 patches to enable prompt remediation.
Security SummaryAI
CVE-2026-4698 is a JIT miscompilation vulnerability in the JavaScript Engine's JIT component, affecting Mozilla Firefox and Thunderbird. It impacts versions prior to Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The issue, published on 2026-03-24, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-843.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope change. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service.
Mozilla's security advisories (MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23) and Bugzilla entry 2020906 detail the patches applied in the listed fixed versions, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JIT miscompilation RCE in browser JS engine (UI:N, network-reachable) directly enables drive-by browser exploitation (T1189) and client-side vulnerability exploitation for code execution (T1203).